Malicious websites drilling iPhones for years, discovers Google

Google's Threat Analysis Group (TAG) has discovered a large-scale, long-term attack on iPhone users. Unlike targeted attacks, here a series of hacked websites were delivering attacks designed to hack iPhones. The victims were unsuspecting users who visited these websites, said Google’s Project Zero team in a blog post.

The TAG discovered a small collection of hacked websites earlier this year. They were being used in indiscriminate watering hole attacks on those browsing them using iPhone, zero-day.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week, researcher Ian Beer wrote in the blog post.

The TAG found exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes.

"What is surprising is why Google has not called out the websites but instead pointed to the vulnerabilities. If the website hosting harmful malware are legitimate companies with serious infections then they are also responsible and must take action to secure them," said Joseph Carson, chief security scientist at Thycotic.

The attackers are using zero days, and cyber-criminals or nation states will not waste zero days on limited opportunistic cyber-attacks, he noted.

"This typically means that such cyber-attacks using zero days are targeted usually against a specific set of victims in order to access extremely sensitive data or gain persistent access, to laterally move to more sensitive networks or critical infrastructure, at a later time."

Though this malware can be wiped out by an iOS updation, one spell will spill out a trove of information about the phone’s user, Beer wrote in the blog post.

The popularity of the device increases the number of possible targets and the cumulative data is huge, noted Will LaSala director of security services at OneSpan.

"This makes the platform and it’s users highly targeted by organised hackers and crime. The amount of money still being exploited by these attacks is very large and helps keep the pressure on," he said.

Customer confidence on device security prompts them to overlook these threats that fly under the radar, wrote Beer. Several other cyber-security professionals agree.

"For a long time, there was a myth that iOS and OSX are secure operating systems and don't need any security systems like anti-malware to protect them. We have seen in some cases that apple systems were breached, but those were mostly breaches to iCloud and similar," said Boris Cipot, senior sales engineer at Synopsys.

"While iPhones have long been touted as a more secure mobile device, this incident shows this belief doesn’t stand true anymore," said Robert Ramsden-Board, EMEA VP at Securonix. "Users of Apple devices need to be just as security conscious as those using other handsets from other manufacturers."

The Apple brand itself is a prize catch for cyber-criminals, observed Jake Moore, cyber-security specialist at ESET. "Cyber-criminals around the world see breaking Apple’s ecosystem as a sort of a pinnacle of their ‘career’. So this amount of attacking will only ever increase," he warned.

"Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted," Beet wrote. The term targeted in this parlance means being born in a certain area or being part of a certain ethnic group, he explained.

The attack went unnoticed because it never affected the working of the OS, noted LaSala

"The best type of attack is one that doesn’t interfere with the user going about their normal business within the app. Hacks that stop the user from using a platform or an application tip the user off and the user will typically alert the provider and stop the attack."

For this reason, application providers should put additional layers of security when embedding their applications on any platform, he suggested. "Reliance on the platform to be able to catch every security hole is not a good security posture for any application today."

"Ironically this is not limited to just iPhone’s and many websites exist that are trying to implant malware into all vendors mobile devices to steal data or gain persistent access," observed Carson.

"All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them," Beet wrote.

Technologies such as Application Shielding will help applications remain secure even when there are holes in the platform, suggested LaSala.

"Beyond Application Shielding, having a strong DevSecOps team and process can also help catch security problems within the application before its deployed. It is important to include security in the application development lifecycle and to continually examine that security," he added.